Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] Question About Sys/Sec Logs
From: Carlos E. R. (robin1.listastiscali.es)
Date: Tue Mar 15 2005 - 06:33:54 CST
The Monday 2005-03-14 at 14:33 -0500, Don Parris wrote:
> In my syslog (via Yast) I found the following entries:
> Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC=
> SRC=22.214.171.124 DST=126.96.36.199 LEN=60 TOS=0x00 PREC=0x00 TTL=48
> ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd:
> Invalid user test from ::ffff:188.8.131.52 Mar 14 08:04:45 luke kernel:
> SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=184.108.40.206 DST=220.127.116.11
> LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22
> WINDOW=5840 RES=0x00 SYN URGP=0 OPT
It is a known attempt to login into your machine, probably automated,
trying to learn first if certain common user names do exist in your
machine: test, guest, admin, user, etc. Then, if they think that such a
user name exists, they will try to guess the password. Your system
rejected those attempts.
It seems they learn of the existence of those users because the sshd
daemon answers with different delays depending on the user name existence.
This was solved by a patch, reported in suse-security-announce on
18 Feb 2005:
- openssh information leak
Openssh as shipped with SUSE Linux allows a possible timing
attack that could be abused remotely to determine existing users
on the system by watching replies to failed password attempts.
This is tracked by the Mitre CVE ID CAN-2003-0190.
Additionally the output of failing PAM sessions will now be
displayed and the terminal-setting for aborted login-sessions
will get restored correctly.
This bugfix was released for SUSE Linux 9.1, 9.2 and SUSE Linux
Enterprise Server 9.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here